Network Security administrators depend heavily on monitoring security logs from firewalls, intrusion prevention systems, servers, applications and other such components of a network to better understand and secure a network. Conventionally, security devices such as firewalls and intrusion prevention systems are deployed at the perimeter of the networks and as such they can only send logs related to the traffic that is entering or exiting the perimeter. Micro segmentation paradigm that has been recently introduced to the market employs distributed firewall to effectively enable every virtual machine of a virtual network to have a firewall of its own. Enabling event logging for all firewall connections (i.e., for both north-south and east-west traffic), however, has a significant performance impact on network efficiency. Additionally, event monitoring servers cannot support the amount of logs that firewalls send out if logs are enabled for all connections.
Firewall vendors thus provide configuration options to granularly enable logs on a rule-by-rule basis to address the scale and performance issues on the firewalls, as well as the log monitoring servers. The main shortcoming of rule-based event monitoring configuration, however, is that while monitoring critical applications is often the purpose of event monitoring, rule-based monitoring is implemented solely based on firewall rules and not the applications. As such, implementing an application-based change in rule-based approach is quite challenging. For example, a simple change in logging policy of an application would require modification of a vast number of firewall rules that correspond to the application. Additionally, the number of logs sent to a log server cannot be adjusted based on an intelligent feedback mechanism in rule-based monitoring.